Re: [karp] Security Extension for OSPFv2 when using Manual Key Management

[Michael Barnes <mjbarnes@cisco.com>]

Hi Sam,

On 01/19/2011 10:13 AM, Sam Hartman wrote:
>>>>>> "Michael" == Michael Barnes<mjbarnes@cisco.com>  writes:
>
>      Michael>  Hi Sam,
>      Michael>  On 01/14/2011 04:34 AM, Sam Hartman wrote:
>      >>  We could have separate authentication challenge packets.
>      >>  However, the advantage of the current approach is that I think we
>      >>  can get to a point where we have one or two extra packets total
>      >>  for a cold-start situation, rather than an extra packet or two
>      >>  per neighbor.  I don't know that the current rules for receiving
>      >>  and sending packets actually achieve this, but I believe we can
>      >>  get there with some minor changes.
>
>      Michael>  I've been giving this some thought, and I think exchanging
>      Michael>  a couple of additional packets in the cold start situation
>      Michael>  is more desirable than overloading the Hello packet with an
>      Michael>  additional security role. The Hello packet already services
>      Michael>  two very important purposes - discovery and keep alive. It
>      Michael>  is highly desirable not to add to the processing overhead
>      Michael>  for these packets.
>
> I'd like to understand your concerns here.  Are you concerned about CPU
> for processing the hello packet? Bandwidth of the hello packets?  I'd
> like to actually get educated about the tradeoffs enough that I can have
> an intelligent discussion.

I don't think the bandwidth is really an issue, but CPU is. It is 
important that processing of these packets can be completed as quickly 
as possible. We are constantly being asked to scale to ever larger 
number of neighbors and adding overhead to Hello packets could make this 
security mechanism undesirable in those settings.

Regards,
Michael